Exchange 2007: Cannot remove accepted domains

Interesting little problem I discovered this morning, when trying to remove domains from the accepted domains tab in Exchange 2007 Server.

--------------------------------------------------------
Microsoft Exchange Error
--------------------------------------------------------
Action 'Remove' could not be performed on object 'domain-name.com.au'.

domain-name.com.au
Failed
Error:
Cannot remove the domain 'domain-name.com.au' because it is referenced by the proxy address template 'smtp:@domain-name.com.au'.

---------

Our site was a migrated Exchange 2003 organisation to Exchange 2007... which is why I probably couldn't see any reference to the domain in the E-Mail address policies tab. Though some are visible, so I'll just put it down as a dodgy migration process.

I stumbled upon this link, which helped me identify my issue. It references to edit a string for which I had no data for, might be because we're running Windows 2008 domain as well..

Anyway here are the steps I used to resolve the above issue:

Logged onto a domain controller (Windows 2008)

1. Start Menu, Administraive Tools, ADSI Edit
2. Action Menu, Connect to...
3. From the drop down list labled 'Select a well known Naming Context:' I selected 'Configuration'
4. Expanded the tree down, Configuration, Services, Microsoft Exchange, 'Org Name' , Recipient Policies
5. Edit Default Policy
6. Edit 'gatewayProxy'
7. Removed the entry for the domain I was having problems with: 'smtp:@domain-name.com.au'
8. Clicked OK, then OK again, closed ADSI Edit
9. I then waited a few mintues and tried to remove the domain from the accepted domains tab.

It now removed without problems!

MS Exchange SMTP behind Cisco PIX : Mailguard of DOOM

I'm by no means an expert in Cisco PIX, but I've had my fair share of success troubleshooting random problems with them.

In this episode... My MS Exchange Server 2007 box has been happily humming away for the last few weeks, SMTP for POP users is served up from behind a Cisco PIX 515e. However something bad happened... something very bad.

Just recently I discovered a bunch of users (including myself) could no longer connect to the SMTP server, while other users could. After hours of painstaking troubleshooting, it was nailed down to a problem with the PIX.. a little more research lead to a little security feature from Cisco named Mailguard. Also note that Mailguard can also have adverse affects to POP3 communications when using windows integrated authentication.

Mailguard's role is to check for dodgy connections or non-standard SMTP commands and drop them, basically shielding the SMTP service on the host behind the PIX. In theory great, in practice with Microsoft Exchange servers... not so great.

Don't ask me how Mailguard (SMTP port 25 inspection) became enabled, when it was ever so clearly not enabled for the last few weeks, but this is how it was resolved:

You may have read on lots of posts on the Internet about running the following command:

# no fixup protocol smtp 25

That command didn't resolve our problem, mailguard was still actively dropping connections and or visible via the XXXXXXXXXXXXXXXXXX that appeared when you telnet into port 25 (if we were lucky enough to find a machine which could telnet as Mailguard also outright refuses connections in certain cases).

The trick was to manually remove the esmtp inspections, as I couldn't do it via the ADSM gui.

These steps are what worked for me, however you may need to verify the names of your policies:

# conf t
# policy-map global-policy
# class global-class
# no inspect esmtp

Save that to your startup configuration and your set.

A quick telnet test was all the proof you'll need to know if Mailguard is disabled. You will see the real Microsoft Exchange SMTP banner instead of the XXXXXXXXXX.